ncaptool - Network capture library

ncaptool was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>.

       This  manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but
       may be used by others).

ncaptool-1.9.2                                     26 Mar 2020                                       ncaptool(8)

ncaptool is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary
       data  in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike
       libpcap, it discards data link headers and only supports IPv4  and  IPv6  packets,  but  it  can  perform
       reassembly of IP datagrams.

       Common usage:

           $ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE

       to inspect a compressed ncap file, run something like this:

           $ zcat $FILE | ncaptool -n - -vmg -

ncaptool - Network capture library

-h     display this help text and exit

       -d     increment debugging level

       -m     increment message trace level

       -f     flush outputs after every bufferable write

       -r     destination of -s can be a remote (off-LAN) address

       -w     use wallclock time not NCAP timestamp for -o files

       -v     emit a traffic summary to stderr on exit

       -S     stripe across all -s datasinks, round robin style

       -eendline
              specify continuation separator

       -iifname[+]
              add interface as a datasource ('+' = promiscuous)

       -bbpf use this bpf pattern for any -i or -p datasources

       -pfile
              add pcap file as a datasource ('-' = stdin)

       -nfile
              add ncap file as a datasource ('-' = stdin)

       -lsocket
              add datagram socket as a datasource (addr/port)

       -gfile
              write msg trace to this file ('-' = stdout)

       -ofile
              write ncap data to this file ('-' = stdout)

       -sso[,r[,f]]
              add  this  datagram  socket  as  a  datasink  (addr/port)  (optional  ,r  is  the transmit rate in
              messages/sec) (optional ,f is schedule frequency, default is 100)

       -ccount
              stop or reopen after this many msgs are processed

       -tinterval
              stop or reopen after this amount of time has passed

       -1[+-]value
              replace, set (+), or clear (-) user1 to this value

       -2[+-]value
              replace, set (+), or clear (-) user1 to this value

       -kcmd make -c, -t continuous, run cmd on each  new  file  (cmd  can  be  empty  if  you  just  want  the
              continuity)

       -Dmod[,args]
              add module

       -H[sd]
              hide source and/or destination IP addresses

       argument to -l and -s can be addr/port or addr/port..port (range)

ncap(3), tcpdump(8).

ncaptool [-h] [-d] [-m] [-f] [-r] [-w] [-v] [-S] [-e] [-i]
                [-b] [-p] [-n] [-l] [-g] [-o] [-s] [-c] [-t] [-1]
                [-2] [-k] [-Dmod] [-H]